Maybe I'll be back soon ;)

Hi readers!

Unfortunately since March I didn't publish articles on the blog. I have a lot of drafts almost ready to be published, but in the past months I had a lot of new challanges and I had to work hard to achieve all my objectives.

Just to update you a bit, since July I work in a new company, a small company, and my days are full of very interesting activities (Citrix Xen Virtualization for server and desktop, network security, forensic analysis,...).

I think in the next days I'll publish some new articles.

I'm working very hard on CryptoLocker since weeks, I really like this kind of activites, and that virus is seriously taking 90% of my free time.

Just for information, during next weeks I'll be in Como to continue my work with Setificio, and I'll have a public presentation about forensic investigation. I'll publish the date soon.

I'm trying to arrange also the streaming of the event for someone who cannot attend.

Bye

--
zambroid

From cyber-crime to cyber-terrorism - SUPSI Forensic Lab Conference

Tuesday, I had the opportunity to join a really interesting conference. Starting from the title: from cyber-crime to cyber-terrorism.
As someone already know, I'm interested in forensic investigation and in IT security.
I personally know the person who organised the conference, so I was pretty sure it would be an interesting conference.
The conference started with a speech about datacenters and physical security.
After the first speech, it was the moment of Andrey Belenko, a security software engineer, who made a great speech on iOS security and forensics, with a deepening on all security features of iOS.
The last speech was about cyber crime, presented by Luigi Ranzato, an italian carabiniere. Luigi has a lot of experience and exposed some real cases he worked on.
It was really a pleasure to be there and listen to this all these experts sharing their knowledge and experiences.
A big thanks to SUPSI and Ing. Alessandro Trivilini for the organisation of these events.

See you soon ;-)

D4N6 and digital life presentation @Setificio_Como (CO)

During last weeks I worked on an exciting completly new activity.
I created a presentation about Digital Forensics and digital life for a school in Italy, ISIS Paolo Carcano (a.k.a. Setificio Como) (CO).

The presentation was created with prezi (www.prezi.com), and the target audience was for people starting from 16 to around 20 years old.
My prezi presentations are not easy to be read, I hope someone will have a look at this, in case, contact me and I will explain you what you need to know :-).

It was really nice to see their impressions about my presentation and their questions about the themes I proposed. They were really interested, and I really appreciate this interest. 

I will share with you my presentation. I had to write it in italian. It includes a lot of videos which are not 100% appropriate with the themes I proposed, but the intent was to stimulate them on a lot of various themes, young people need to be stimulated, we need to stimulate them!!

I really liked to work with them and be part of this project! I hope to be part of this project also in the future.

I would like to thank the techers  who involved me in the project!

Here the link to the presentation: D4N6 presentation on prezi.com

I hope I will have more time now to finish all the draft posts I started and publish some new articles on the blog.

See you soon!

Volatility - Memory dump analysis

In this post I will share with you my first experiences working with Volatility 2.4.

As first use I installed it on a OS X machine, and in this case I hadn't to install Python. Yes, you read corectly, Python, but I'll install it soon on other OS to complete this post and give a complete installation and useage guide for everyone.
Volatility is a framework implemented in Python and it is used to extract digital artifacts from volatile memory.

With the latest version it supports Windows 8, 8.1, 2012 R2 and Mac OS X Mavericks (up to 10.9.4) memory dumps.

For any further information, you can have a look at official volatility web site: volatilityfoundation.org.

Now, let's start with the installation.

Installation

As I already mentioned, Python is required for volatility (2.6 or later, but not 3.0), so check that prerequisite:
    # python -V

Now check that pycrypto package is installed:
    # python  
    >>> help("modules")
In case your Python installation does't include pycrypto, install it as follows, after downloading it from www.dlitz.net:
    # tar zxf pycrypto-2.6.1.tar.gz
    # cd pycrypto-2.6.1
    # sudo python setup.py build install
    # python
    >>> help("modules pycrypt")

    Here is a list of matching modules.  Enter any module name to get more help.
   
    Crypto.SelfTest.Cipher.common - Self-testing for PyCrypto hash modules
    Crypto.SelfTest.Hash.common - Self-testing for PyCrypto hash modules 

Now download the volatility source code package for Mac from the official repository with this link Volatility 2.4.
Open a shell and uncompress the package:
    # tar zxf /tmp/volatility-2.4.tar.gz

The installation of the software is really simple, you only need to run one command:
    # cd volatility-2.4
    # sudo python setup.py build install

It will take some time to install, and after check the installation with the following command:
    # python vol.py --info

As you can see there is the following error:
    # python vol.py --info    Volatility Foundation Volatility Framework 2.4    *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined)

    *** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3)

    *** Failed to import volatility.plugins.linux.apihooks (ImportError: No module named distorm3)

    *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined)

    *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3)

    *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined)

    *** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3)

So, what is needed now is the distorm3 Python package (distorm3).
    # unzip distorm3-3.3.0.zip
    # cd distorm3-3.3.0
    # sudo python setup.py build install

Check again the installation:
    # cd ../distorm3-3.3.0
    # python vol.py --info

Now Volatility is ready to be used.

Usage

Volatility is structured in profiles and plugins:

• Profiles are needed to analyse the memory dump. It is needed to specify from which OS the memory dump comes from
• Plugins are the real analysis tools. There are a lot of plugins for various operations.

Plugins and profiles can be downloaded and added to volatility in an easy way: copy the needed files.
Profiles are located in:
volatility-2.4/volatility/plugins/overlays/<OS>

Plugins are located in:
volatility-2.4/volatility/plugins/

Now that everything is ready, it is possible to analyse a memory dump with volatility:
    # python vol.py --profile=<OS_profile> -f <MemoryDumpFile> <plugin> 

The plugin list and description can be found here.

Be patient, learn, share, and play with your memory dumps :-) .

About Zambroid

Hi everyone,

so, how can I start? Always the same...I try to write something about me and why I would like to write this blog, and I don't know how to write what I have in my little brain....

Once again.

Hi everyone,

my nickname is zambroid, I'm an IT engineer with a good experience in system engineering, most on unix and middleware systems, with a very big interest in everything around IT, in particular about Digital Forensics, Security and semantic web.

I started this blog today (17.01.2015), after a long time of tries to start a blog, because I understood that what I really want is to share with you, internet, what I know or I discover about IT, Digital Forensics and Security.

In this blog you will not find articles about a single topic (I will try to be tidy, I'm always an engineer :-P), you will find everything I discover or I use. You know, this is only an hobby, so I don't know the frequency of my posts.

I hope you will enjoy reading my blog.